In the SecureWorld Spotlight Series, we learn about the speakers and Advisory Council members that make our events a success. In Q&A format, they share about their professional journeys, unique experiences, and hopes for the future of cybersecurity—along with some personal anecdotes.
Richard Staynings is a renowned thought leader, author, public speaker, and advocate for improved cybersecurity across the Healthcare and Life Sciences industry. He has served on various industry and international cybersecurity committees and presented or lectured on cybersecurity themes or concerns all over the world. He has advised numerous government and industry leaders on their healthcare security strategy and defensive posture, and has served as a subject matter expert on government Committees of Inquiry into some of the highest profile healthcare breaches.
Richard is currently Chief Security Strategist for Cylera, a pioneer in the space of medical device and IoT security. He is also author of Cyber Thoughts, a leading healthcare cybersecurity blog, teaches postgraduate courses in cybersecurity at the University of Denver University College, and is a retained advisor to a number of governments and private companies.
A recovering CISO, with more than 30 years' experience of both cybersecurity leadership and client consulting mostly in healthcare, Richard has lived in more than 30 countries and delivered innovative solutions to organizations in all of them. For the past 25 years, he has resided in Boulder, Colorado, and calls the Rockies home when he is not flying to or from a security event or conference in some distant part of the world.
Get to know Richard Staynings
Q: How important do you think hobbies are for overall well-being? What hobbies have you picked up during your career that have helped you de-stress? Do you believe hobbies can contribute to professional success? If so, how?
A: Living in Colorado, I'm a big skier and maybe the guy you hear taking a conference call from the lift on a Friday morning. I love the mountains. I also love the ocean and have well over 600 documented scuba dives – though not in Colorado I may add. Usually much warmer tropical locations.
Not sure that I have time for hobbies per se, but I do enjoy traveling and visiting new places. That fits in well with my lifestyle and frantic work and conference schedule. I speak at between 30 and 40 security conferences every year, and many of those are in some pretty great locations. Fortunately, my wife likes to come with me on some of those trips, so we can spend more time together and combine business with recreation.
As a recent example, I was asked to speak at the Global Cybersecurity Forum in Riyadh, Saudi Arabia, in October 2024, so I tacked on a few days to see the sites of Riyadh on the way in (all part of the acclimation process so I am awake and alert on stage), and then on the way out we flew to Al Ula to visit the ancient ruins of Hegra (Maiden Salah) and stayed in a luxury tent with AC and a pool in the desert for a week.
Cylera has customers in Europe, UAE, Oman, and Thailand, so I'll typically add a few personal days on to a trip and hit the beach, visit the sights, or an island somewhere. It kills two birds with one stone and helps me recharge before or after an event or business meeting.
I have been flying more or less every week for the past 30 years as a consultant and as a speaker. Before kids, my wife used to travel for work extensively, so it's second nature to both of us by now. We can both work well from a laptop on more or less any time zone from any hotel with decent internet access.
Q: You've had a fascinating career in cybersecurity. Did you always know this is where you'd end up? And, just for fun, have you had any unexpected jobs along the way that might surprise your listeners?”
A: As a small boy, my father took me into his office one Saturday morning to pick up some files he'd left and needed over the weekend. While there, he showed me the computer room. I was fascinated by all the tall machines with their spinning tapes and whirring disk drums and thought it was very cool. I came home and told everyone I was going to work with computers when I grew up. Little did I know that I would—albeit eventually.
However, as a student, despite being rather good at math in high school, I ended up perusing degrees in humanities, social sciences, and business. (My degrees in cybersecurity came much later.) So armed with a Bachelor of Arts degree, I started off working in sales and marketing rather than computer programming or operations which might have been a better fit for where I ended up years later.
I came into IT from the side as a consultant and worked my way through IT infrastructure management before transiting to information security. Looking at the folks I have worked with in cybersecurity, most of us in my generation came in from a roundabout route. There were no degrees in cybersecurity or even certifications in the space like there are today when we were starting out.
I have done all kinds of things. As a university student I worked factory shutdown's each summer to keep my car on the road. I worked bar like many people and can still make a mean cocktail.
A more exotic role I did was working on the Western Australia Gas Pipeline some years ago. This runs down the west coast of the country and through the Western Desert where it was regularly 45C (113F) and got up to 60C (140F) in the desert. Working outside at those temperatures can be a real test of endurance and I have a lot of respect for the guys that are still doing this day-in and day-out. I learned a lot about SCADA (Supervisory Control and Data Acquisition) systems which came in useful years later in my IT and Cyber career. I also learned a lot about snakes, and Australia has some of the deadliest in the world. They keep you on your toes, that's for sure.
I also worked as a travel writer for several exploration and travel guides by documenting some of my off-the-beaten-track ventures in closed areas and closed counties as they were about to open up. I guess my writing in a notebook illuminated by little more than a candle upriver in a longhouse in the Borneo jungle, or in a mountain cabin in the Himalayas was good training for the books and papers I write today, though perhaps not as exciting.
Q: What are you going to do when you eventually retire?
A: Not sure I ever will really. I'd like to keep working for as long as I have the mental and physical capability to do so. I enjoy the challenge and having something to get up for. I'm not sure 18 holes of golf every day has the same attraction or mental stimulation.
I guess that's the difference between America and Europe or Australia where a lot of my friends retired at 50 or 55 and do little more today than clog up the roads with their 100-mile bicycle races with other retirees. At least they are thin, I suppose—in contrast to many Americans working in IT or cyber, myself included.
I'd like to keep giving back, and that's part of the reason why I teach cybersecurity at the University of Denver and write so much. I like to think that I am making a difference and helping to train and equip the next generation of security professionals.
I also enjoy tackling new challenges like how to secure the growing internet of things and particularly the healthcare internet of things. That's one of the reasons I joined Cylera because the three founders had a great mission and a passion for accomplishing it.
IoT is the open back door to cybersecurity, especially in healthcare which has millions of medical and other largely dumb devices—all connected to the medical network. Using AI, to automate security of connected assets is the only way we can get in front of the risks and expanded attack surface. As Mobile Health, Consumer Medical Wearables, and a heap of other technologies take over the healthcare industry, so it's becoming more and more difficult to keep patients safe and hospitals open to treat them. I like to think that I am helping to secure one of the most critical industries—healthcare—one device at a time.
Q: What is the greatest challenge for security today, and how might you address it? Note that I did not say solve it.
A: How long do we have? I could talk on this subject for a couple of hours as there are just so many challenges facing us at present. Many of these appear at least, to be truly insurmountable.
With an academic background in Government, Public Policy, and International Relations, I tend to view some of our cybersecurity challenges through a different conceptual lens, than most, especially if we examine attacker versus defender and the tools we have at our disposal to secure our networks from attack.
Every year I have been working in this space, the number, and complexity of cyber-attacks has increased. As has the depth, impact, and costs associated with cleaning up a breach and recovering from it. Cyberattacks are not only killing people when hospitals are forced to divert while under attack, but they are closing businesses and people are losing their jobs and livelihoods in many cases.
This year, cybercrime is expected to cost $10.3 trillion USD. It's growing every year, and by the end of the decade will likely be over $16 trillion. In terms of GDP, cybercrime is already the third largest economy on the planet after the U.S. and China. Today, Cybercrime Inc. is already bigger than the total economic output of Japan, Germany, and France combined. By the end of the decade, it could be bigger than China.
But the types of attack and motivations have changed significantly. It's no longer script kiddies and hacktivists trying to prove a point. The perpetrators are massive and highly organized mafia crime syndicates and nefarious pariah state actors. Their intent is to steal whatever they can, extort whatever they can, and cause as much damage and disruption as possible. Any and all notions of a gentlemanly game of "red" versus "blue" team competition went out the window long ago. These are ruthless criminals and spies. This is now "cyber terrorism," however, most of our leaders have yet to see it this way. The game has changed, the rules have changed, and we are now at war with terrorists armed with keyboards rather than Kalashnikovs!
The challenge is how do we stop these cyber terrorists, or slow the rapid growth in their numbers?
As a country, as an economy, as a society, we need to see ourselves as being at war with these adversaries' intent on destroying all that we hold valuable. When businesses go under and their employees get let go, or when friends and relatives die because the hospital they are ambulanced to is under cyberattack, this is not just extortion or a mere inconvenience, this is personal for all of us. It's a growing problem for everyone in law-abiding countries around the world.
But certain pariah nation-states protect these mafia cybercriminals and cyber terrorists. Some actually encourage their crippling attacks and revenue generating activities. Russia, China, Iran, and North Korea all have state employee hackers, focused on the theft of IP / military and commercial espionage, causing mass disruption, or the acquisition of hard currency in the form of crypto currencies.
North Korea depends on cybercrime to keep Kim's generals in rocket fuel and the Kim dynasty in caviar. Without it, the DPRK's missile program would grind to a halt and its soldiers would likely be eating one another, thanks to the country's failed collective agricultural policy and ability to feed its population.
The growing number of cyberattacks are not just a transnational crime problem, nor an international relations problem; they are a global rule of law problem. As a planet, we need to decide on rules for co-existence unless we rip up notions of globalism and international trade and revert to 19th century isolationism.
The transnational cybersecurity challenge is all part of a much bigger hybrid war between the Axis states and the West. Though cyberattacks are not exclusive to these Axis powers, by volume and impact, they are by far the largest players.
We can see this with the timing of ransomware attacks immediately following a delivery of weapons to Ukraine to defend itself against Russian aggression, or the visit of a leading politician to Taiwan. We saw it with Iranian cyberattacks against Bowman Avenue Dam in New York and against many of the banks on Wall Street following the imposition of sanctions for Iran's nuclear weapons ambitions, or the Stuxnet attack against its Uranium enrichment facilities in Natanz, Isfahan.
Cybercrime's slow incremental advance has our leaders fooled and rendered inept to respond to what is now cyber warfare. It's not too dissimilar to Hitler's militarization of the Rhineland in 1936—a gamble that Hitler won, then moved on to occupy Sudetenland in 1938, before taking on even bigger ambitions like the conquest of Europe in 1939. No one stopped him until it was too late. A mistake by a pacifist Britain, France, and an isolationist America that ended up costing millions of innocent lives.
Just as world leaders were sleeping in the 1930s, so leaders in the 2020s are asleep to the reality in front of them. Cybercrime and cyberwar are the new normal. And for the time being, they are here to stay.
Part of the problem is that there are currently no costs being imposed on cybercriminals today, and hence their numbers are growing exponentially. The industry is being lucratively fueled by victims paying ransoms to terrorist groups—something that should be illegal and enforced IMHO. This problem is getting bigger, not smaller, and will continue to do so until we all take a different approach. Doing more of the same and expecting a different result hasn't worked so far, nor will it, I believe.
No amount of throwing money and more cyber resources at security is going to fix this growing challenge. So let's stop rearranging chairs on the Titanic hoping for a different outcome.
We know who many of the perpetrators are; many are already indicted by U.S. Federal Grand Jury. We know where they work, what cars they drive, where they sleep at night and with whom. It would only take a few examples of direct judicial action to transform international cybercrime into a very expensive and dangerous profession. One with consequences. And one a lot less attractive to Russian teenagers for sure. Very few cybercriminals are ever brought to justice, and even fewer are renditioned to the West to stand trial. Instead, most hide behind the iron curtain, protected by their puppet masters and mafia dons.
The UN General Assembly adopted a milestone cybercrime treaty on Christmas Eve aimed at strengthening international cooperation to combat cybercrime and protecting societies from digital threats. It's been five years in the making, so I am hopeful that this might finally move the needle for some of the purely commercial cybercrime and the mafia syndicates monetizing cyberattacks.
However, I have grave reservations that it will curtail nation-state sponsored or directed attacks. Nor will it kill off highly organized crime syndicates. Russia has been especially adept at using proxies for its attacks against the West, and China depends upon the theft of commercial trade secrets and intellectual property to keep its state-owned industrial base competitive and growing. Neither forms of attack are about to go away. Nor will the Chinese Triads stop laundering money stolen by North Korea or common criminals the world over without a major international effort.
Much of the UN convention goes after human trafficking, drugs, online child sexual abuse, and online scams. Whether it cuts down on the number of spoofed calls from India claiming to be Microsoft tech support remains to be seen, or on the thousands of smishing texts and pig butchering connection requests we all get. If the UN convention improves collaboration between law enforcement agencies to apprehend and prosecute these smaller fish, than it's a help, I suppose. At the very least, it reduces the noise levels and allows cyber teams to focus on what is critical and important.
I doubt, however, the convention will make the slightest difference to the activities of LockBit, Lapsus$, FIN7, REvil, DarkSide, Cl0p, Conti, or their current iterations. Most of these players are extremely useful to Putin and the Kremlin currently, where plausible deniability can be exercised for a hit against another country's critical infrastructure systems, or to send a retaliatory message. Nor will it slow down or stop China's espionage and wholesale theft of intellectual property and commercial trade secrets.
The good news is that anyone working in the cybersecurity space has a job for life, and I don't see that changing any time soon.
You can read more about Richard or watch some of his videos at cyberthoughts.org. His Publications page is regularly updated with links to recent interviews and articles as well as his contributions to books and academic papers. You can also find out where Richard is next presenting to attend a lecture or conference, including SecureWorld events. Richard welcomes LinkedIn connections from other security professionals.
Continue to follow our Spotlight Series for more interviews of industry experts.
